Hacking the Internet - bringing down infrastructure

Why should hackers try to disable computers when they might be able to set their sights higher? Routers can be just as vulnerable as servers, so why not bring down the entire Internet?

The US Department for Homeland Security (DHS) was set up in November 2002 with the primary responsibility of protecting the USA and its territories from terrorist attacks, accidents, and natural disasters. However, its remit has slowly spread in recent years to cover the nation's Critical National Infrastructure, which includes the structure of the Internet itself. Surprisingly perhaps, the DHS has never really got to grips with raising the security of the Internet's own architecture – the integral global system of interconnected computer networks that use the standard Internet protocol suite (TCP/IP) to serve several billion users worldwide.

This may seem at odds with the heightened sense of cyber-security that has arisen over the last decade, but anecdotal evidence suggests that this stems from the widely-held misunderstanding that the Internet is so diverse as to be resilient to anything other than an extreme national catastrophe, such as a nuclear strike. Not so: the Internet is nowhere near as robust as some might want to believe.

Whilst the beginnings of the Internet can be traced back to October 1969 when the first two nodes of what would become the ARPANET were interconnected on the US West Coast, the Internet of 2013 is best described as a mesh of computer networks that are interconnected by a common set of protocols and standards.

Any assumption that the Internet has perpetuated the original aim to establish an ultimately robust, fault-tolerant communication system – one that operates via computer networks, and would be largely unaffected by large-scale military offensive action – is not wholly accurate.

Widespread concerns over how resilient the Internet would be to a concerted attack by persons unknown surfaced when the first wide-scale distributed denial of service (DDoS) attacks started taking place in late 2010 – driven largely by the hacktivist group now known as Anonymous. Anonymous made use of a DDoS attack application known as LOIC (Low-Orbit Ion Cannon), which is based on an open-source network stress-testing package first developed by Praetox Technologies.

LOIC moved the concept of a multi-user DDoS attack out of the text books and into real-world environments, using a five-pronged attack strategy based on the 'maxing out' of Internet computational resources, including bandwidth, disk space, and/or processor time.

One of Praetox Technologies' least-known DDoS attack vectors involves the disruption of configuration information, such as routing information, on the Internet. The good news is that this attack vector – known also as 'DNS poisoning' – seems never to have made it into the LOIC software or its successors. The even better news is that, following some DNS routing screw-ups, the Internet is now relatively immune to routing table/DNS attacks.

Many observers think of DDoS attacks as requiring major bandwidth resources – in the hands of 'Black Hat' (malicious) hackers – in order to mount. However, as Anonymous has proved with LOIC, several hundred users' minor bandwidth can be married together to stage a wide-band DDoS attack. Then there are 'slow and low' attacks, which force a server's IP/transactional resources to time out – the broadband equivalent of busying-out multiple trunk/international lines in the old days of 'phreaking' (telephone system hacking) – to consider.

Preparing for cyber attack

It's worth noting that almost all of the attacks reported by DDoS remediation specialists such as Akamai, Arbor Networks, and Prolexic, have focused on attacks on major corporations. It is logical to predict, however, that the scale of DDoS attacks could ratchet up with the current state-sponsored cyber espionage attacks gravitating toward national DDoS attacks at some point.

Those targeted, or likely to be, can do a lot to protect their host systems and endpoint devices from such offensive action. The bad news is that the Internet is not properly prepared for this type of attack.

Back to phone phreaking, however, and it should be noted that LOIC – and other DDoS applications seen before and after the rise of the Anonymous hacktivist collective – have even closer parallels to the so-called 'Blue Boxes' so beloved of phone 'phreakers' in the 1970s and 1980s. They both attack the publicly-accessible elements of, respectively, the telephone network and today's Internet.

What if a diehard hacker – or group of hackers – were to complete the same task with the contemporary Internet, disrupting more than the public-facing elements of it, and temporarily (or semi-permanently) disrupting the control systems of the Internet's architecture itself – the routers and switches, and other Internet-working hardware and software? And what if the world's Internet Exchange points (known as IXs or IXPs) were targeted as part of a concerted series of attacks intended to bring down the Internet infrastructure, as opposed to compromising servers and other computer devices that hang off the end? This issue receives much less attention than the latter in the general debate over cyber vulnerabilities.

The fragility of the Internet's architecture – on a local country level – was highlighted last March when DDoS attacks of around 300Gb/s were seen on the servers of Spamhaus, the not-for-profit anti-spam security organisation. Though not massive on a country capacity basis, it was sufficient to slow down and even freeze access to the Spamhaus site on multiple European country networks at peak times for days – with many European country Internet services slowed down as a result. Spamhaus was able to assuage most of the effects of the attack by working with CloudFlare, a US-based cloud security specialist. A Dutch national was arrested in Spain in connection with allegedly orchestrating the attacks. The 35-year-old male suspect was found to have been working from a bunker in north-eastern Spain and also had a van, equipped with 3G and 4G cellular services, that was said to be capable of hacking into networks anywhere in the country.

The man is reportedly linked with Cyberbunker, a Dutch organisation housed in a five-storey NATO bunker that advertises itself as a 'hosting provider'. As with the open-source LOIC software developed by Anonymous, the Spamhaus incident proves that multiple servers are not always needed to orchestrate a major attack that can cause painful regional brown-outs on the Internet.

Hack the Internet Service Provider

Before examining this possibility further it is important to note that the Internet infrastructure is not entirely without protection. As it is highly unlikely that a hacker could successfully subvert national peering points in individual countries – London's Telehouse centres, for example – due to physical and electronic constraints, we must first start to look at how to subvert an Internet Service Provider's resources.

It is unlikely that any sensible, diligent ISP would allow anyone other than a senior employee or engineer to access their main switching room, but a switching console – in the shape of a supposed secure Web interface – might become accessible to a knowledgeable, skilled, well-motivated hacker. That switching console would never be accessible using conventional means, but it could be made accessible by adroitly hacking into the communications infrastructure of the Internet on the users' side of the ISP's system.

The primary attack vector in this instance would be the DSLAM – digital subscriber line access module – and its allied digital concentrators at the local telephone exchange facility. DSLAMs are network devices, often located in the telephone exchanges of the telecommunications operators, which connect multiple customer digital subscriber line (DSL) interfaces to a high-speed digital communications channel using sophisticated multiplexing techniques.

A typical DSLAM aggregates the DSL lines over its very-high capacity asynchronous transfer mode (ATM), Frame Relay, and/or IP network connections. The aggregated traffic is then directed to an ISP's backbone switch, normally at speeds of up to 10Gb/s.

In use, a DSLAM typically acts like a network switch, as its functionality is at Layer 2 of the OSI (Open Systems Interconnection) model, a conceptual model that characterises and standardises the internal functions of communication systems by partitioning them into abstraction 'layers'. This means that a DSLAM cannot normally re-route traffic between multiple IP networks, only between ISP devices, and end-user connection points. However, since the DSLAM traffic is then switched to a broadband remote access (BRA) server where the end-user traffic is then routed across the ISP's network and out on to the Internet, it follows that subverting the DSLAM at the software level would allow access to the basic infrastructure of the Internet that is not normally accessible to consumers or business ISP customers.

Allied to this is the fact that it is now possible to hack users' broadband routers without their knowledge and so harness them into a botnet-driven DDoS swarm while their computers remain intact and operational. Here we have the interesting situation of a botnet swarm centring on a swarm of modems, rather than computers, as is the case with LOIC.

This is getting close to the 'hacking the grid' concept, a possibility that leading security experts have discussed (privately) at various security conferences in recent years. But instead of hacking users' broadband modems, why not hack the DSLAMs at the exchange? Using incremental bandwidth, you have the perfect on-grid, undetected hacking resource.

Cherchez la Femtocell

At the Black Hat USA conference in Las Vegas in July 2013, two researchers from'security firm iSEC Partners – Tom Ritter and Doug DePerry – revealed that they had recoded the firmware of a Verizon Wireless femtocell to act as a monitoring device for all communications routed through the gateway.

Femtocells are a compact, low-power cellular basestation that is designed to boost signal reception in homes or for small businesses, operating as a mini basestation for registered handsets in the vicinity, and routing the resultant voice and data transmissions across a broadband connection into the cellco's network.

From an on-network perspective, this is achieved through the use of an EMX (Electronic Mobile eXchange) connected network server known as a femtocell gateway. This consists of a security gateway that terminates large numbers of encrypted'IP data connections from thousands'of femtocells, and a signalling gateway which aggregates and validates the signalling traffic, authenticates each femtocell, and interfaces with the mobile network core switches using standard networking protocols. The management and operational system of the gateway then allows software updates and diagnostic checks to be administered. These typically use the same TR-069 management protocol published by the Broadband Forum, and also used for administration of residential and most business femtocell modems. As with other units, the Verizon Wireless femtocell – manufactured by Samsung – routes cellular voice and data calls via the customer's broadband connection.

Femtocell loopholes

As Ritter and DePerry of iSEC Partners revealed, by subverting (hacking) the femtocell software, the functionality of the unit remains mostly unchanged, but with the important proviso that a copy of the IP traffic destined for the on-network femtocell gateway is routed to a data server destination of the hacker's choice.

The iSEC team's recoding of the Verizon Wireless femtocell is made all the more interesting because security on femtocells tends to be very tight, owing to the potential of the devices to bypass agreed international roaming arrangements.

Anecdotal evidence, for example, suggests that in the early days of Vodafone's SureSignal femtocell deployments in the UK, the devices were an instant hit with British ex-patriots in Spain.When the first Vodafone Access Gateways were released in July 2009, the Alcatel-Lucent units reportedly allowed people in Spain to make femtocell-based calls to UK mobiles as if they were based in the UK.

The loophole was sealed when Vodafone rebranded its femtocells as SureSignal units in January 2010, adding a geographic IP number check among other additional security measures, including a GPS chipset, to its system software, before allowing the unit to log into its femtocell gateway system.What Ritter and DePerry demonstrated at Black Hat USA was that they could 'weaponise' the hacked femtocell for stealth attacks by packaging all equipment needed for a surveillance operation into a backpack that could be dropped near a target they were seeking to monitor.

But what if the femtocell's software could be completely subverted and replaced by a suite of hacker applications that, as well as allowing gateway access into the communication opertaor's network using the TR-069 management protocol, also allow access to the DSLAMs and BRA routers at the local telephone switch?

Perhaps understandably, hardware and network router manufacturers are quite tight-lipped about discussing the security of their technology if pitted against hacker subversion. That said, there have been some excellent presentations on security deficiencies in DSLAMs and associated telecoms switch routers at a number of conferences. At the Defcon 2012 event – held in Las Vegas in August last year – for example, Felix Lindner (aka 'FX'), the head of security research firm Recurity Labs, presented about a number of apparent vulnerabilities in routers from the vendor Huawei. Huawei is one of the fastest growing providers of networking and telecoms hardware in the world; and, Lindner reckons, supplier of kit that runs half of the world's Internet infrastructure.

Lindner, whose main claim to fame prior to his Defcon 2012 revelations were his 2009 analyses of a number of alleged vulnerabilities on Cisco Systems networking hardware (at the Chaos Communication Congress in 2009), described the security of the Huawei devices as "the worst ever", and told his audience that they are certain to contain more vulnerabilities.

Lindner claimed that almost all Huawei routers – which are built on a common chassis – have over 10,000 code calls in the unit's firmware to 'sprintf', a function that is known to be insecure. Lindner explained that most of his tests were carried out on the vendor's AR series of routers – those often used by enterprises – adding that he has been unable to check for flaws in the NE router class, which are used by telcos and ISPs, simply because he has been unable to have access to the products.

Lindner was also critical of Huawei for its "lack of transparency" when it comes to raised security alerts response. Huawei is far from alone in having 'security issues' with its routers and modems, with Alcatel-Lucent, Avaya, and Cisco – to mention but a few – being the subject of researchers' findings and subsequent patches, usually by firmware updates.

Lindner has, for example, been tracking Cisco vulnerabilities and allied issues for some time, and presented an exposition on the latest round of issues with Cisco routers – which form part of the infrastructure of the Internet (along with hardware from other vendors) – at the CONFidence conference in Krakow, Poland, in May 2013.

Lindner's presentation (now available on YouTube) argued that misconfiguration is often the root cause of security vulnerabilities on routers, although there are still a few true firmware issues that give Black Hat hackers reason to live. These vulnerabilities, he admitted, are rare – in 2008, for example, only 14 vulnerabilities were published for Cisco's firmware; Juniper Networks only reported a memory leak and an OpenSSL issue. Nothing was disclosed by router vendor Nortel Networks. And 2008 was a 'busy' year for router vulnerabilities.

The last five years, however, have seen the IP network landscape changing – really changing – with all manner of complex, next-generation traffic now flowing across Internet routers – e.g., IPv6, SSL-VPN, VoIP, and Web service routing traffic – creating new potential incident scenarios.

On top of this, as Lindner points out, most routers don't run network services; if they do, then you probably need to find a new network administrator.